Examples with JwsJwtCompactConsumer org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer used on opensource projects

Example 46 with JwsJwtCompactConsumer

use of org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer in project cxf by apache.

the class STSRESTTest method validateJWTToken.

private void validateJWTToken(String token, String audience) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
    JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token);
    JwtToken jwt = jwtConsumer.getJwtToken();
    // Validate claims
    Assert.assertEquals("DoubleItSTSIssuer", jwt.getClaim(JwtConstants.CLAIM_ISSUER));
    if (audience != null) {
        @SuppressWarnings("unchecked") List<String> audiences = (List<String>) jwt.getClaim(JwtConstants.CLAIM_AUDIENCE);
        assertEquals(1, audiences.size());
        Assert.assertEquals(audience, audiences.get(0));
    }
    Assert.assertNotNull(jwt.getClaim(JwtConstants.CLAIM_EXPIRY));
    Assert.assertNotNull(jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT));
    KeyStore keystore = KeyStore.getInstance("JKS");
    keystore.load(Loader.getResource("keys/servicestore.jks").openStream(), "sspass".toCharArray());
    Certificate cert = keystore.getCertificate("mystskey");
    Assert.assertNotNull(cert);
    Assert.assertTrue(jwtConsumer.verifySignatureWith((X509Certificate) cert, SignatureAlgorithm.RS256));
}

Example 47 with JwsJwtCompactConsumer

use of org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer in project cxf by apache.

the class JAXRSOAuth2TlsTest method doTestTwoWayTLSClientIdBoundJwt.

private void doTestTwoWayTLSClientIdBoundJwt(String clientId) throws Exception {
    String atServiceAddress = "https://localhost:" + PORT + "/oauth2Jwt/token";
    WebClient wc = createOAuth2WebClient(atServiceAddress);
    ClientAccessToken at = OAuthClientUtils.getAccessToken(wc, new Consumer(clientId), new CustomGrant());
    assertNotNull(at.getTokenKey());
    JwsJwtCompactConsumer c = new JwsJwtCompactConsumer(at.getTokenKey());
    JwtClaims claims = JwtUtils.jsonToClaims(c.getDecodedJwsPayload());
    Map<String, Object> cnfs = claims.getMapProperty(JwtConstants.CLAIM_CONFIRMATION);
    assertNotNull(cnfs);
    assertNotNull(cnfs.get(JoseConstants.HEADER_X509_THUMBPRINT_SHA256));
    String protectedRsAddress = "https://localhost:" + PORT + "/rsJwt/bookstore/books/123";
    WebClient wcRs = createRsWebClient(protectedRsAddress, at, "client.xml");
    Book book = wcRs.get(Book.class);
    assertEquals(123L, book.getId());
    String protectedRsAddress2 = "https://localhost:" + PORT + "/rsJwt2/bookstore/books/123";
    WebClient wcRs2 = createRsWebClient(protectedRsAddress2, at, "client.xml");
    book = wcRs2.get(Book.class);
    assertEquals(123L, book.getId());
    String unprotectedRsAddress = "https://localhost:" + PORT + "/rsUnprotected/bookstore/books/123";
    WebClient wcRsDiffClientCert = createRsWebClient(unprotectedRsAddress, at, "client2.xml");
    // Unprotected resource
    book = wcRsDiffClientCert.get(Book.class);
    assertEquals(123L, book.getId());
    // Protected resource, access token was created with Morphit.jks key, RS is accessed with
    // Bethal.jks key, thus 401 is expected
    wcRsDiffClientCert = createRsWebClient(protectedRsAddress, at, "client2.xml");
    assertEquals(401, wcRsDiffClientCert.get().getStatus());
    wcRsDiffClientCert = createRsWebClient(protectedRsAddress2, at, "client2.xml");
    assertEquals(401, wcRsDiffClientCert.get().getStatus());
}

Example 48 with JwsJwtCompactConsumer

use of org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer in project cxf by apache.

the class OIDCFlowTest method validateIdToken.

private void validateIdToken(String idToken, String nonce) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
    JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken);
    JwtToken jwt = jwtConsumer.getJwtToken();
    // Validate claims
    Assert.assertEquals("alice", jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
    Assert.assertEquals("OIDC IdP", jwt.getClaim(JwtConstants.CLAIM_ISSUER));
    Assert.assertEquals("consumer-id", jwt.getClaim(JwtConstants.CLAIM_AUDIENCE));
    Assert.assertNotNull(jwt.getClaim(JwtConstants.CLAIM_EXPIRY));
    Assert.assertNotNull(jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT));
    if (nonce != null) {
        Assert.assertEquals(nonce, jwt.getClaim(IdToken.NONCE_CLAIM));
    }
    KeyStore keystore = KeyStore.getInstance("JKS");
    keystore.load(ClassLoaderUtils.getResourceAsStream("keys/alice.jks", this.getClass()), "password".toCharArray());
    Certificate cert = keystore.getCertificate("alice");
    Assert.assertNotNull(cert);
    Assert.assertTrue(jwtConsumer.verifySignatureWith((X509Certificate) cert, SignatureAlgorithm.RS256));
}

Example 49 with JwsJwtCompactConsumer

use of org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer in project cxf by apache.

the class OIDCFlowTest method testAuthorizationCodeFlowWithKey.

@org.junit.Test
public void testAuthorizationCodeFlowWithKey() throws Exception {
    URL busFile = OIDCFlowTest.class.getResource("client.xml");
    String address = "https://localhost:" + PORT + "/services/";
    WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), "alice", "security", busFile.toString());
    // Save the Cookie for the second request...
    WebClient.getConfig(client).getRequestContext().put(org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
    // Get Authorization Code
    String code = OAuth2TestUtils.getAuthorizationCode(client, "openid");
    assertNotNull(code);
    // Now get the access token
    client = WebClient.create(address, OAuth2TestUtils.setupProviders(), "consumer-id", "this-is-a-secret", busFile.toString());
    // Save the Cookie for the second request...
    WebClient.getConfig(client).getRequestContext().put(org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
    ClientAccessToken accessToken = OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code);
    assertNotNull(accessToken.getTokenKey());
    assertTrue(accessToken.getApprovedScope().contains("openid"));
    String idToken = accessToken.getParameters().get("id_token");
    assertNotNull(idToken);
    JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken);
    // Now get the key to validate the token
    client = WebClient.create(address, OAuth2TestUtils.setupProviders(), "alice", "security", busFile.toString());
    client.accept("application/json");
    client.path("keys/");
    Response response = client.get();
    JsonWebKeys jsonWebKeys = response.readEntity(JsonWebKeys.class);
    Assert.assertTrue(jwtConsumer.verifySignatureWith(jsonWebKeys.getKeys().get(0), SignatureAlgorithm.RS256));
}

Example 50 with JwsJwtCompactConsumer

use of org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer in project cxf by apache.

the class OIDCFlowTest method testHybridCodeIdToken.

@org.junit.Test
public void testHybridCodeIdToken() throws Exception {
    URL busFile = OIDCFlowTest.class.getResource("client.xml");
    String address = "https://localhost:" + PORT + "/services/";
    WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), "alice", "security", busFile.toString());
    WebClient.getConfig(client).getHttpConduit().getClient().setReceiveTimeout(100000000);
    // Save the Cookie for the second request...
    WebClient.getConfig(client).getRequestContext().put(org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
    // Get location
    AuthorizationCodeParameters parameters = new AuthorizationCodeParameters();
    parameters.setConsumerId("consumer-id");
    parameters.setScope("openid");
    parameters.setNonce("123456789");
    parameters.setResponseType("code id_token");
    parameters.setPath("authorize-hybrid/");
    String location = OAuth2TestUtils.getLocation(client, parameters);
    assertNotNull(location);
    // Check code
    String code = OAuth2TestUtils.getSubstring(location, "code");
    assertNotNull(code);
    // Check id_token
    String idToken = OAuth2TestUtils.getSubstring(location, "id_token");
    assertNotNull(idToken);
    validateIdToken(idToken, "123456789");
    // check the code hash is returned from the implicit authorization endpoint
    JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken);
    JwtToken jwt = jwtConsumer.getJwtToken();
    Assert.assertNotNull(jwt.getClaims().getClaim(IdToken.AUTH_CODE_HASH_CLAIM));
    // Now get the access token
    client = WebClient.create(address, OAuth2TestUtils.setupProviders(), "consumer-id", "this-is-a-secret", busFile.toString());
    // Save the Cookie for the second request...
    WebClient.getConfig(client).getRequestContext().put(org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
    ClientAccessToken accessToken = OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code);
    assertNotNull(accessToken.getTokenKey());
    assertTrue(accessToken.getApprovedScope().contains("openid"));
    // Check id_token from the token endpoint
    idToken = accessToken.getParameters().get("id_token");
    assertNotNull(idToken);
    validateIdToken(idToken, null);
    // check the code hash is returned from the token endpoint
    jwtConsumer = new JwsJwtCompactConsumer(idToken);
    jwt = jwtConsumer.getJwtToken();
    Assert.assertNotNull(jwt.getClaims().getClaim(IdToken.AUTH_CODE_HASH_CLAIM));
}